In the digital world passwords, passphrases, wireless keys, and encryption keys are the "keys" to enter a company's cyber universe. In most cases, these keys are kept in the hands of a select few people for security purposes and in many cases the keys lie in the custody of just one person.
Enter a case in Indiana where the administrator of the American College of Education was fired and, as the college alleges, he wiped clean the credentials to the network. The college was successful in working with Google, through litigation, to restore access to the administrative accounts but...
How could this have been prevented?
- The college claims the admin did not follow proper procedures. This is easy to believe because Google draws very blurry lines between personal and business accounts when linking them for convenience. Many cloud applications do this as well, so I recommend keeping business and personal accounts separate despite the inconvenience.
- Use of a password manager that logs each credential access can provide an added level of protection. There are many out there but I prefer one that is self-hosted and secured by a competent administrator to hedge against attacks leveraged against cloud password management platforms.
- Have clear processes and procedures, as well as an Acceptable Use Policy that every employee understands. This way, there's no question about how terminations should be handled.
- Understand the sensitivity of terminating any relationship that holds administrative credentials, be it internal IT employees or external vendors. The incumbent should not be permitted to access the system at all after the termination and should insist on being distanced from the system during the transition to protect your organization and themselves or their organization in the case of a vendor. They should be cooperative and forthcoming about every access method and should insist on every access method being addressed. With IT vendors, this could include many small tools and application used in managing the network.
- Contemplate the divorce: plan for this and understand how it will happen. Things happen: people, priorities, and circumstances change and relationships end for many reasons. Being forthcoming about how a split happens instills trust and shows goodwill.
- Assign multiple admins and insist on the use of personal admin credentials with a sealed "super admin" for emergency purposes. This promotes accountability and establishes an "emergency handle" for when all else fails.
